Skip to content

Add bouncycastle permissions to security.policy #9770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
cwperks wants to merge 5 commits into from
Closed

Add bouncycastle permissions to security.policy #9770

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8c85f27
Add bouncycastle permissions to security.policy
cwperks Sep 5, 2023
a3f35b2
Add CHANGELOG entry
cwperks Sep 5, 2023
9e43830
Merge branch 'main' into add-bc-permissions
cwperks Sep 5, 2023
9e453dd
Add permissions to enable security to read PKCS#1 keys
cwperks Sep 5, 2023
037efca
Merge branch 'add-bc-permissions' of https://github.com/cwperks/OpenS…
cwperks Sep 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Added sampler based on `Blanket Probabilistic Sampling rate` and `Override for on demand` ([#9621](https://github.com/opensearch-project/OpenSearch/issues/9621))
- [Remote Store] Add support for Remote Translog Store stats in `_remotestore/stats/` API ([#9263](https://github.com/opensearch-project/OpenSearch/pull/9263))
- Add support for query profiler with concurrent aggregation ([#9248](https://github.com/opensearch-project/OpenSearch/pull/9248))
- Add bouncycastle permissions to security.policy ([#9770](https://github.com/opensearch-project/OpenSearch/pull/9770))

### Deprecated

Expand Down
8 changes: 8 additions & 0 deletions server/src/main/resources/org/opensearch/bootstrap/security.policy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,14 @@ grant codeBase "${codebase.zstd-jni}" {
permission java.lang.RuntimePermission "loadLibrary.*";
};

grant codeBase "${codebase.bcprov-jdk15to18}" {
Copy link
Contributor

@RyanL1997 RyanL1997 Sep 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this for jdk 11?

Copy link
Member Author

@cwperks cwperks Sep 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the way that bouncycastle releases artifacts. Until last month the securityplugin was using jdk15on, but then switched to jdk15to18 (PR where it was changed: opensearch-project/security#2901). I plan to open an issue about using jdk18on.

Copy link
Contributor

@reta reta Sep 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, this is due to #9289, the BC has moved to core and now we need this permission to manage security providers.

permission java.security.SecurityPermission "putProviderProperty.BC";
permission java.security.SecurityPermission "insertProvider.BC";
permission java.security.SecurityPermission "removeProviderProperty.BC";
permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size";
permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests";
};

//// Everything else:

grant {
Expand Down